Has everyone forgotten about Tempora [1], XKEYSCORE [2], PRISM, [3] and the other Snowden revelations [4]? This kind of shit has been going on for at least a decade in various forms.
I find it a bit amusing that we are now at the point where we can say "has everyone forgotten about" about Snowden revelations. When those came out, my reaction at the time was "has everyone forgotten about ECHELON?" https://en.wikipedia.org/wiki/ECHELON
Back in ...huh maybe late 2002, we were testing embedded machines for surveillance video streaming through the then new UMTS 3G system. So we had this very compact (there were no Raspberry PIs back then) Linux machine with its PCMCIA 3G card which would use ffmpeg to stream the video taken by a camera, to a nearby broadband connected PC having a fixed IP.
Everything worked, but we were literally struggling to achieve low latencies because the application would have been in potentially life threatening scenarios; the customer had been very clear about the numbers: half a second maximum latency, not more. We were almost getting there, with some quality tradeoffs, still something was slowing us down, so we fired a traceroute to see the path traveled by our precious video packets, and the shock when we found that to reach a machine on the same bench they went through not one but two countries to get to London, and back.
We filed a detailed request to the carrier, which was our partner, to ask if there was something wrong with routing. We got no reply, other than realizing the following days that they had blocked ICMP and other things so that we couldn't use traceroute anymore.
It doesn't make it ok at all. But this is a double edged sword. Just keeping this in the public eye but without hard action against it simply normalizes the situation as "problem that's only big enough to complain about". People need to see action being taken, like right to repair initiatives that bore fruit.
Unfortunately unlike right to repair, this is a fight against a government which already has too much leverage on anyone and gaining more, making the fight progressively more difficult. It's clear that the gov't will use any power at it's disposal to fight against any such citizen initiative.
As a person from the UK, no I've not forgotten. The difference here (and this is NOT excusing them) is that you've gone from a series of systems which didn't officially exist, accessible from the select few of intelligence agencies and no doubt secure as hell into private ones which are controlled by people like BT. Yep, BT. The same BT who are laying off 10k staff this year because they need to cut costs. This isn't something they're putting effort into, this is some mandated program which will mean they're going to come up with the cheapest solution to store all your data. That's obviously bad.
What was disappointing about this was that I remember the day this bill got passed. I remember refreshing BBC news repeatedly. Not one article was written about the snoopers charter within the days leading up to it (or the day itself). Now, back to the "bad" again... The list of people who can access these records, without a warrant is just utterly insane. It starts off legit-ish but honestly some of these are pretty hard to justify:
* Metropolitan police force
* City of London police force
* Police forces maintained under section 2 of the Police Act 1996
* Police Service of Scotland
* Police Service of Northern Ireland
* British Transport Police
* Ministry of Defence Police
* Royal Navy Police
* Royal Military Police
* Royal Air Force Police
* Security Service
* Secret Intelligence Service
* GCHQ
* Ministry of Defence
* Department of Health
* Home Office
* Ministry of Justice
* National Crime Agency
* HM Revenue & Customs
* Department for Transport
* Department for Work and Pensions
* NHS trusts and foundation trusts in England that provide ambulance services
* Common Services Agency for the Scottish Health Service
* Competition and Markets Authority
* Criminal Cases Review Commission
* Department for Communities in Northern Ireland
* Department for the Economy in Northern Ireland
* Department of Justice in Northern Ireland
* Financial Conduct Authority
* Fire and rescue authorities under the Fire and Rescue Services Act 2004
* Food Standards Agency
* Food Standards Scotland
* Gambling Commission
* Gangmasters and Labour Abuse Authority
* Health and Safety Executive
* Independent Police Complaints Commissioner
* Information Commissioner
* NHS Business Services Authority
* Northern Ireland Ambulance Service Health and Social Care Trust
* Northern Ireland Fire and Rescue Service Board
* Northern Ireland Health and Social Care Regional Business Services Organisation
* Office of Communications
* Office of the Police Ombudsman for Northern Ireland
* Police Investigations and Review Commissioner
* Scottish Ambulance Service Board
* Scottish Criminal Cases Review Commission
* Serious Fraud Office
* Welsh Ambulance Services National Health Service Trust
Let's not forget who brought us the wonderful law: Theresa May, as home secretary. Architect of the Windrush scandal, for which she took 0 responsibility.
She probably envisioned the Home office doing mass denial of visas based on a lookup of applicant names with IP addresses deemed to be related to terrorist activity.
Why does anybody other than policing and security agencies need access to this stuff? NHS? Fire and rescue? WHAT? They don't have a role in investigating crime. Okay the fire brigade do post-fire analysis of possible arson etc. but that's not something you need access to somebody's internet history for.
Yep, food standards Scotland could call up TalkTalk and ask for a copy of my browsing history. This is assuming its not been leaked because they got hacked by a 16 year old script kiddy *again*.
It's like asking why does the king of Saudi Arabia need to have the power to jail his subjects for no reason? Why does Putin need to have the right to jail or kill political opponents?
The UK doesn't give you right to remain silent (your silence will be used against you), you are compelled to bear witness against yourself (you must surrender passwords), and there are super-injunctions where you are gagged and not even allowed to discuss the legal issue with your lawyer.
This is the country that sent government thugs to force journalists to physically destroy their own laptops and hard drives.
With religious clergy overtly and explicitly being part of government power (in house of lords).
Hell, it's super recent that government power in house of lords stopped being inherited.
Imagine if the US senate was staffed solely by inherited power. Not just in the style of Bust Sr/GWB, but actually inherited. It's not the same, since the US senate is more powerful than the house of lords, but "it's complicated".
So your confusion here may come from the fact that you look at the UK as "like the US, but they talk weird", where it's a couple of step closer to "Like Saudi Arabia, but part of political power is elected".
Obviously Saudi Arabia is much further away along this spectrum, but I hope you see my point anyway. You seem to be saying "how can a free society do this?", where the answer is "because it's not that free, your assumption is flawed".
well, yes, the UK has many problems including some of the above, but most Western countries are deeply flawed in terms of real freedoms - e.g. US governments routinely murder people (both official "judicial" executions and extra-judicial killings by police), the "patriot" act abridges all sorts of freedoms in the name of terrorism, routine civil forfeiture of random property by police, denial of basic healthcare for many people, abridgement of basic bodily autonomy for women with many states ready to end it entirely if the Supreme Court ever changes it's mind, secret unappealable no-fly lists, everything to do with guantanamo bay or CIA "black sites".
I'm not saying other countries are perfect, including the US.
But there's a difference. The US is not living up to its ideals of equality and democracy, or even equal treatement under the law (e.g. lying to congress about not "collecting" data about US citizens). The UK is not even aspiriting to living up to those standards.
For example take torture. The best way to paint this is to "do horrible things for the protection of freedom and democracy". It's Realpolitik.
I'm still absolutely against torture, but it's a difference in kind to the UK putting religious clergy into positions of government power.
It's possible to defend torture as an instrumental goal to the ultimate goal of freedom & democracy. But the UK is not aiming for the same ultimate goal.
Similarly it's a difference in kind when Trump or Bolsanaro practice nepotism, compared to when some asshat gets a peerage in the UK.
We can list flaws all day, but the difference between the US and the UK here is that the US really does have an ideal of equality, freedom, and democracy, and the UK does not. The UK has not outgrown the Monarchy. And I'm not just talking about the royal family, but the whole aristocracy.
Another way to explain this: If you tell the story of Plebgate to an American, they won't fully get it. It's an insult, yes, but merely saying it's an insult is missing the point. It's bad because the class society is still there. People owning their homes often still literally pay a land tax to someone with a lord title. A land Lord.
It's a step on the spectrum to Saudi Arabia, where within its borders every grain of sand, and every person, is the personal property of the king.
If you take the US and add a permanent unelected head of state, add 20 dedicated priest posts to the senate, remove the first, second, fourth, and fifth amendment, and on top of that have a society that generally feels like this is a good idea, then you have a completely different country.
And it's not a country that even aspires to be as free or democratic as the US. And since the UK doesn't try, it also isn't.
Under Trump we saw that the US institutions were (mostly) holding. What's being "held" in the UK is not even a goal on the level of the US.
You point out many things. And probably those kinds of things the US has done more than Saudi Arabia has done. But nobody would therefore conclude that Saudi Arabia is more freedom&democracy than the US, would they?
This idiot (who is clearly making a completely idiotic contraproductive and divisive point, since I'm charitable enough to not take her at face value) is there for life. She can't even be voted out. She's there for life.
But what can you expect from the Green Party? Are they actually competent at what they do in any country?
The NHS investigate people for abusing their authority as medical professionals. I don't know how they divide the work with the police, but they do have their own people for investigations.
Also for fraudulent malpractice cases. An investigation made the news recently where a lady was suing a hospital.
She claimed some massive disability following an operation, and the hospital's own investigations team followed her and filmed her jogging, drinking, etc.
It would have been using these same powers to do the surveillance work.
I was amazed that I also couldn't find any prominent mention about this when it passed, but that only cemented my view that our media are not free. They will not publish something that could outrage public against an agenda that has got a green light and has to go through no matter what. Even so called outlets that praise themselves as being "anti-tories" have not published anything. There is plenty of stories like that and it is extremely worrying. I think there is corruption going on at a scale not seen before and there is media embargo. One striking story I remember when it was discovered that husband of drugs minister (that minister had anti-cannabis stance) was running medical cannabis crops making the UK biggest exporter of cannabis in the world. When this was discovered only RT wrote about that and weeks later they where threatened their license will be pulled (on a "unrelated" matter, to not bring attention). Only few months later, when everyone was talking about it online, BBC dared to publish the story and drugs minister promised to withdraw herself from anything cannabis related and she kept the office. Can you imagine that in a civilised country?!
What I don’t get is this: our governments - “ours” being the group of parliamentary democracies - routinely diss authoritarian ones such as China - and rightfully so - for their violations against human rights, among which that to habeas corpus, privacy, and reasonable suspicion.
To the point that we agonized over and sabotaged contact tracing apps, which could have helped a lot in fighting COVID, over claims to privacy and government control.
Now this shit. Fuck it.
You either are or you’re not. So if my privacy is to be made sausages, chopped and sold at the market for FB, ad-tech and spooks, then give me at least some upside! As it is, we’re just bovines with ear tags...
The UK has never been especially supportive of human rights; it has a tradition of a sort of live-and-let-live native libertarianism, which is why we don't have ID cards (+), but it also has the tradition of imperialist repression techniques which means that the public are broadly supportive of the military shooting people in the street if they think they might be terrorists.
Also means you need multiple different forms of identity, at least based on my previous experiences with the UK banking and real estate systems.
It’s not even amazingly secure. A few years ago a TV news investigator managed to get a provisional driving license in the name of the blind then-Home Secretary, David Blunkett.
Because you are taking the government criticism of other countries at face value. This is not a case of a well intended but barely self-aware organization or even some ideological zealots not giving pause to its enemies. This is just propaganda, pure and simple, they dont give a damn about the Uighurs, freedom of the press or democracy in general, they have an economical and geopolitical adversary who is getting stronger year after year so they will attack it. That boogeyman role has been played by Spain by France by Nazi Germany by the USSR by Japan,by Lybia,by Iraq,by Iran and now by China,For the powerful a foreign enemy is perfect:
- It gives justification to obscene spending on the military
- It justifies imperialist actions which violates international law
- It blinds the local populacy with "patriotism"
- It allows to create draconian local policies which would not be accepted in "peaceful times"
- It protects the government because any local or foreign criticism can be discarded by using _whataboutism_ about the enemy du jour.
Western governments project. They accuse enemy of something while doing the very thing. In the end humans in power develop the same desires and aim to fulfil them regardless of political framework.
What helps, I find, is to think of governments as administrations. The civil service does implements whatever it has been told. Politicians are voted in - this is a slight of hand to distract the public. (I think of politics as a soap opera for the middle classes.) All the while the real governors operate through global undemocratic organisations, such as the UN and the WHO.
The UN and the WHO are not covert control operations but simply troughs where the friends of the rich can feed.
The real governors operate from their country clubs and banquettes. No proper kingmaker would be so obvious as to grab headlines or make public announcements. Where is the personal enrichment in that?
A simple rule of thumb: if you know who they are, they're not the people in control.
In my view privacy has more layers. It has layers of personal data (name, social security, medical records), user-produced data (your family photos), communication (chat) and metadata (ad tracking).
Lately I have seen ad tracking put in the same group as personal data. I don't think they deserve the same level
of protection. I think total privacy is fools' gold.
We always ask for total transparency from our governments, yet if they ask even a little of it from us, it's bad. Why?
Also, in our society, wanting too much of anything makes you a weirdo and an outcast. Why has advocating for total privacy become normal(ized)?
"We always ask for total transparency from our governments"
Since time immemorial governments have used the seal of secrecy to hide their daily embarrasments, failures, and corruption.
UK government has ordered a report into whether Sauidi is promoting Jihadism in Uk, and then decraled it secret. Same for Russia report. Recently the government has been sued for handing out multi-billion contracts to pals without challenge, and obviously they immediately reached out for the secrets act.
We are sensitive about private data, because if you believe in a right to remain silent, well, now you can't stay silent.
Evem if you are innocent, spurrious charges can ruin you financially.
But who are “they” to “ask even a little of it from us”. With all due respect but this sounds as if “they” are not the people we send there to manage _our_ countries, but rather a cast of all loving all watching overloads that we should feed a bit of our freedoms now and then to keep us fed, safe and well. And we all know how that worked in history.
Well we just saw with covid how it works out if everyone gets to do what they want. Too much freedom is just as harmful as too little.
I would argue the only working model was the ancient Romans', having two leaders, a wartime leader and a 'fair-weather one'. It also requires the population to be grown-up enough to know their freedoms can and should be limited at times for their own good. No wonder why 'full citizenship' was rather limited in Rome.
>Too much freedom is just as harmful as too little.
Covid killed what, 0.1% of the population at most, and the average age of death was over 80. Stalin, Mao and Pol Pot killed well over an order of magnitude more than that.
It killed 0.185% of the UK with restrictions in place that limited the infections to 6.28% of the population.
Unconstrained spread would’ve been a bit over one order of magnitude worse, even if that hypothetical somehow managed to avoid overwhelming the NHS with exponential growth making half of all cases happen in the final doubling period.
Is a datacentre considered an ISP in this respect? Between vpns and just remote desktoping into a VM, it seems trivial to circumvent to real criminals while being a privacy nightmare to the rest of the population. There is a probability 1.000 that this data will be abused.
What I want to know is: what happened? I always think of this event 70 years ago [0]:
> "police obtained the fingerprints of every male aged 16 and over who had been in the vicinity of Blackburn on the night of 14-15 May to compare their fingerprints to those left at the crime scene by the perpetrator. ... a milestone in the history of forensic science; this being the first time a mass fingerprinting exercise had been implemented to solve a murder in the United Kingdom."
> Just weeks prior to the execution of Peter Griffiths, all the fingerprint records obtained from individuals who had been in the vicinity of Blackburn between 14 and 15 May were publicly destroyed [emphasis my own] in a mass pulping exercise at a local papermill. Several local journalists were present to record the destruction of the records.
Why was society so vigilant about giving data that might be abused to authorities, and now, when the data is so much more vast and powerful, no one seems to care?
Because it's abstract. The people aren't _actively_ having to do anything, such as hand over their records - it's happening away from them. It's hard to connect with abstract.
It's easier for people to connect with the reason _for_ doing it. Stop the terrorists, it may happen to you, etc. But the other way round is harder because it's invisible and you can live your life without caring. Even the warnings fall on deaf ears because "come on, you're being irrational" or "meh, doesn't affect me".
It is far easier and more enjoyable to believe that Britain is peace- and freedom-loving, which is the continual message from the tabloids, than to keep track of these developments and their implications.
If so, why were they not apathetic and ill-informed a mere then, not even 100 years ago? Certainly people of the time thought Britain was peace- and freedom- loving then, too.
Complexity. A policeman taking a literal print of your body is far simpler and more direct than "big data" and so on.
Remember that most computer users are hazy at best about whether `natwest.my-account.co.uk` is a phishing scam. There isn't the necessary baseline of informed opinion to have a reasonable discussion about this kind of snooping.
In part possibly because it was a few years after WW2 where millions of allied soldiers thought against Fascism which was enforced via secret police (Gestapo).
It's easier to stand against something when there is something stand against - The end of the cold war meant the west didn't have a "At least we don't do <insert Stasi tactics">" to oppose itself to.
Now we routinely do things that would have made the Stasi wet themselves in excitement.
If I understand correctly, fingerprints were quite the nerdy technology back then. They're not beep boops in a data center, but it takes a high degree of nuance to argue against "if you didn't commit a crime, you have nothing to worry about."
Neither does this specific "nerd". I honestly have yet to be convinced; a lot of it seems very similar to fear mongering and illogical with the arguments being very nebulous. Maybe I have yet to sit down and flesh it out with a deep privacy advocate.
I understand the need for wire tapping and for the police to be able to do their job. What I don't understand is the no need for a warrant. Also the list of public bodies who can access this data includes the health and safety executive, the pensions regulator, the environment agency.
I see no reason why bodies like this can have access to sensitive data about individuals without requiring a warrant.
Not that long ago the most powerful and free country in the world was engulfed in chaos after the killing of George Floyd.
The event was polarising and you had your anti-rioter camp and anti-police camp. It should not be hard to see how there would have been direct chains of command on either side which could facilitate data misuse.
If you want a hard example, look at Hong Kong: protestors getting arrested via all manner of tracking, but also police's family being doxxed by protestors.
The big problem is that our modern legal code is so convoluted that people regularly accidentally commit crimes[0][1] but aren't aware of it, leaving a big gap for inconsistent enforcement (mostly against those who dare challenge authority or the authorities are biased against). There's reasonable evidence that the FBI or rogue agents within the FBI tried blackmailing Dr. Martin Luther King, Jr. into committing suicide.[2] J. Edgar Hoover was collecting a stash of blackmail information on politicians.
I'm very unlikely speak up enough to become a target, but the next Dr. King, the next Snowden, the opponents of the next Trump or next J. Edgar Hoover are going to have big problems if privacy continues on its present course.
Privacy isn't currently a big problem for the average citizen in our society, but it's very important fat-tail event insurance to have in the future. By the time you realize you need to worry about privacy, it's probably already too late. History has shown liberal democracies are at best metastable (all governments tending toward authoritarianism if not actively maintained) and whistleblowers are an important stabilizing force.
I wonder if it's to do with the physicality of older data collection methods. In your example, the data collection method was very clear: getting your fingers black and ordered to perform an action with them by someone in uniform. The use of that data is even clearer: the potential for being executed.
It is very different to the newer methods where you don't necessarily know what is being collected or what it is being used for.
I saw discussed online the other day some alarmist comments about the government wanting to know "what your bedroom activities are" in response to receiving the census letter in the post and seeing a mention of sexuality. Putting aside the ignorance of conflating sex with sexuality, I thought it was interesting how hard this problem is for most people to deal with.
That same person no doubt uses multiple mainstream social media sites, has browsers full of tracking cookies, uses loyalty cards and has their data collected, sold and used for all sorts of things. But it's the letter through the front door, for, of all things, a function of society that is over 200 years old, that causes alarm.
It's a good observation. Not unrelated I suspect io why society no longer cares about basic personal freedoms in the wake of covid panic. Basic private peaceful assembly with your family is now or recently has been a civil and in some places criminal offence.
This often makes me think, what would happen if the authorities suddenly instituted something that actually wasn't trivial to bypass?
There are smart people working for them, why do they keep bringing in this stuff that doesn't actually have an effect against the baddies?
Is it possible that they are self-sabotaging because they actually realize they don't want to live in the world they are rushing headlong towards? Or is that giving them too much credit?
Those trying to communicate will always have the advantage thanks to cryptography. It gives you many way to secure and obfuscate communications, even in plain view.
I disagree. Surveillance isn’t limited to breaking encryption — the Stasi would put cameras in water cans to spy on funerals, drill holes in walls while you were out to spy on you in your own apartment, etc. — and the tech for meatspace surveillance has only gotten smaller and cheaper since the fall of the Wall. Laser microphones in particular are something a high school student could reasonably make with a pocket-money budget.
> It works best with a small hardware extension (a small speaker/headphone) to focus the sound on the mic, making it silent its surroundings. An idea how to build it is found in the Menu.
Great when you know where the microphone is but can’t leave the area for a private chat; not so useful when the microphone is any nearby substance that reflects some wavelength and which vibrates enough when exposed to sound that the reflected light can be decoded.
They won't, for quite a while because it's good strategy. Don't let your opponent know they're trapped until the very end.
Had the government gone all-in trying to stop piracy, or drugs, back in the day they'd have kicked off this privacy awareness years ago, when they were much less ready. Now they've had a chance to gear up and get behind the terrorist attacks as they happen with stories about the chat clients they use, or how their iphones kept police from reading their texts, etc. With a little more of this by the time they do crack down not only will the tech be much more refined but there'll be a properly trained group of people who defend the censorship on safety, or moral, or whatever grounds, to keep the heat away from those who made the decisions.
The idea that the powers aren't actually useful is a completely false meme that techies tell each other because they imagine criminals to behave in a particular way, which is incorrect.
Police powers are routinely shown to be useful in actual criminal investigations.
This is politics, who cares about a few people doing bad stuff...
If the shit hits the fan, you want to know the political stance of all the citizens, and who the troublemakers will be, if something large is happening. ...and for that, it's enough to know which political sites they're visiting, even if you don't know the content itself.
Or, the reason nothing has happened as a result is because nothing serious happened in the "insurrection". I'm suggesting this as a foreigner in a democratic country (a well regarded example country even), a fact I mention to dispel the concept that I'm crypto-republican or even socially (as opposed to fiscally) conservative. I watched 2020 in America through independent videos and through your news, the two of which are very-tenuously connected.
Very few of the capitol-riot criminals (because I totally agree that they committed a bunch of crimes, and are absolutely criminals) were armed, even with the makeshift weapons seen in the previous year's street riots. And they weren't going to hurt anyone because the capitol police and the secret service were preparing the evacuation while Trump was still talking blocks away. Not because they legitimately feared a coup, but because it's just general safety protocol to not sit around and wait for a demonstration or a riot to walk up to you.
Following that you saw the Democrats care as hard as they could. Some are still caring now. But the message didn't resonate with anyone other than their base - it cost them moderate democrat support and hardened moderate republicans again them. They largely stopped because the voters said "It's a non-issue, we don't believe it as told". (I present this as a self-evident fact, despite having seen poles supporting it, because we all know nobody stops beating on an effective drum.)
Anything any large organization does is not about absolutes but about increasing or reducing the probability of something in a population. The small few VPNers can be dealt with later.
Also this is done in america for commercial reasons to sell to adtech, like t-mobile recently or comcast for quite a while and probably all the others.
10 years from now cyberterrorism companies with government clearance will be selling machine learning models trained on these logs of previous criminals. Sad.
When picking an enemy it's vitally important to pick one who doesn't exist, otherwise you could actually end up finding and eliminating them. Also, to pick one that you can manufacture if and when you actually have to show some results.
Big Oil will be replaced with Big ML. The lobbyists will erode our liberties after rinsing our planet. They will make cutesy ads tricking the masses into trusting the models and anyone using protection online will be branded a terrorist.
while i technically agree, i think it's worth noting that gbps internet connections are available for cheap (<40$/mon) in many countries and on the other side a gbps-vpn is far from a trivial task especially if it leaves your country to terminate in another jurisdiction.
VPNs just move the problem around, they don't solve it.
You've gone from your ISP being the point at which interception can happen to your VPS provider and/or their ISP being the point at which interception can happen.
If you use secure protocols then the VPNs ISP should have no way of linking your good with your bad browsing, whereas your ISP sees where the cable is running from and can link everything you view (as far as the IP or hostname at any rate.)
But yeah, you're swapping your ISP and your government for your VPN and maybe their government.
If you're a dissident, you're probably fine. If you're a pirate and the VPN isn't in certain countries, you're probably fine. If it's something both countries disagree with, you're in trouble.
So essentially they're collecting net flow data on every citizen. It may be kind of fun to overload their storage by creating a ton of short connections, probably wouldn't be feasible.
Rest sure things like masscan and file sharing will be singled out and excluded from long term storage.
If I recall correctly there is a process called massive volume reduction by which you filter out “uninteresting stuff”.
It’s not a bad idea, but you’ll need something more sophisticated.
I find this type of legislation works like DVD copy protection: the innocent and non tech savvy will be disproportionately affected and it won't do anything to deter those with sufficient knowledge.
A python script to visit random scraped form directory websites or just having it request invaild pages if you want the logging to be least compressable.
If ISPs tried than the public would pressure the government to drop the law.
I calculate with 50% reduction from compression (After the required back-ups to comply with the law the number will be much worse for the ISP). That somone on VM 500Mbits using less than 10% of their connection for this could increase their log size by 200GB per day or 73TB over the 12 months.
I'm not sure if this is referring to the privacy laws or the internet itself, but the internet connectivity in Germany is dreadful in my experience. Capacity is at its limits, to the point that some flats don't have access to the internet.
Your the first comment and I had exactly the same idea. What do you want to bet we've all had the same thinking. As a community we sure like to bend things for sure.
This seems simultaneously too intrusive, and yet not intrusive enough to actually benefit law enforcement. They are logging source and destination IPs. But to what end? What can that possibly prove? Surely the vast majority of crime occurs at the application level.
This is coupled with extensive logging of DNS queries.
If you connect to IP xxx.xxx.xxx.xxx a few milliseconds after looking up the IP for badsite.com then you're probably connecting to badsite.com. Then they can get a warrant for badsite.com's web server logs, or cloudflares logs if badsite.com is using it...
You can ask one end (typically the service end) for timestamp and local and remote port and IP address.
Then you ask ISP to lookup subscriber info (via account id) based on that.
You can do that already in some EU countries, just by lodging a complaint with police as a service provider (say you have an e-shop) for example. ISPs have to store these logs for some months.
It wouldn't be too difficult to work out which app/site you're using given profiling data on which hosts are contacted during typical runs, and that data can be generalised in cases where the services use multiple names.
Yes. The more control centralized authority has the more they can control hate speech. Please babysit us apathetic cynical regulatory capture mechanisms - I mean politicians.
Could I submit freedom of information request to my ISP and be provided with all the details they store about my internet browsing? Unfortunately BT are a private company so sounds unlikely..
Freedom of information is about the activities of public authorities, and that includes private sector bodies performing public functions. A person could access aggregate data and other non-personally identifying information this way but it would likely require a court to rule on the public activities of the company. This happened with privately run care homes which were deemed to have public functions.
However, you don't want that: you want a subject access request. This covers data from private sector companies too. Not responding is illegal and you can take them to the Information Commissioner and eventually the Information Tribunal.
This is the information commissioner's office's guide to making a request:
Unfortunately this won’t tell you if the ISP is storing extra data in compliance with the Snooper’s Charter because legal compliance can override the GDPR. Basically, the law saying “you’re not allowed to tell anyone you hold this data” overrides an SAR and a legal case to force compliance would likely fail on these grounds.
Basically, If you are required to store the data under an order, then you are not legally allowed to disclose the fact you have received an order, or what you are storing.
Same as getting a request from the NCA asking for details on an individual, can't disclose that you received one.
Ah. They're the same as the old RIPA requests then. In another life I worked for a company which processed them from time to time. It is a dreadful shame that stuff has survived.
Yea, only from what I can see, worse.
Rather than just "tell me who had this IP on this date" it will be "tell me everything they visited and looked at during this period"
... if you own and trust the VPN server and exit arrangements then this is true.
But it would have to be outside the UK to avoid the same fate, since you are in the UK, this makes it harder to trust the service provider and their security services not to find your "foreign" traffic very interesting and not subject to their laws protecting their own citizens' data.
A lot of "we don't keep logs" vpn providers were found to very much keep logs of all your traffic. Some of the people in the VPN business are the last ones you would want to see all your traffic.
Tor might work, or at least change the threat model, but it cannot be used as a high bandwidth proxy.
This is what I have done since the original snooper's charter came out. It is not perfect -- I am sure that GCHQ etc have got pretty good at correlation attacks -- but by encrypting _everything_ BT, Virgin Media etc. will just get a list containing exactly one IP and a month-long connection time.
Secondly, I really recommend Andrews & Arnolds [1] as an ISP if you can only get ADSL. I don't use them at home because I need the bandwidth afforded by cable -- for which there is one supplier in my town, Virgin (bah!) -- but AAISP supply my mother's home and are genuinely amazing. She had some issues due to BT and they let me raise an issue via IRC; the few times I have had to get in touch with them it's been an absolute pleasure; they disclose their support as "xkcd/806 compliant". Their owner also is a strong campaigner for digital privacy.
You can pay by cash or cryptocurrencies, you don't need to provide them with your email address, headquartered in the EU, Mozilla's VPN is a partnership with them, open source clients with reproducible builds, WireGuard support.
Also, no logins, just a single string of numbers as your account number. So no one can go to mullvad and say "gimme the deets for criminal@gmail.com", which is nice.
Just switch between different ones every few months or so. Try to select some, which are not obviously nefarious against you, and might be going bankrupt soon, with the hopes of them not keeping much logs or records afterwards.
VPN solves absolutely nothing. You are just moving your root of trust around. Nym is a very promising mixnet that is built with a global passive adversary in mind. That may work.
Isn't this almost exactly the use-case for a VPN: one well-defined snooping adversary? If one _assumes_ that the VPN provider doesn't lie (or at the very least is independently audited) and has a server beyond your jurisdiction then isn't moving the root of trust away from your un-trustworthy ISP the right thing to do?
If you have the right skills, it's not hard to set up Squid or your choice of other proxy software in the EU (eg outside the UK), and direct your browsing traffic over it.
Latency from the UK to (say) Germany or the Netherlands isn't too bad either.
Someone did this for torrents, they built a website that scrapes the DHT data and creates a record of every torrent downloaded by each IP address, publicly searchable. This data is technically public and anyone could have got it including governments, making a site to access it just helps awareness.
This monitoring is primarily about metadata, which is necessarily not encrypted anyway. The concern that most people aren't aware of how much data they're leaking may be justified, but unless you're planning to redesign the Internet, exposing it isn't going to help much.
That seems like a weak slippery-slope argument. The exemptions to the usual rules that require ISPs to comply with government security policy here and keep quiet about it only cover those things.
So for one thing, using the data collected for anything else or providing it to anyone else would be an immediate and severe breach of both data protection and security laws. That would have serious consequences for the ISP doing it.
For another, it would bring that monitoring system into disrepute and damage the credibility of a government that wants to be seen as strong on security. As a previous government learned to its cost when it tried to introduce personal ID cards here, even voters in the UK (who traditionally have a majority in favour of tough policing and security measures) still have lines they aren't willing to cross.
In short, while there is plenty of scope to debate whether a system like this is necessary or justified as a security measure, it's highly unlikely that it will also be turned into the kind of sell-all-your-data exercise that might be a concern in some other parts of the world.
Aren't uk ISPs already required to keep logs of everything that happens on a connection? How is this different to that? I'm not trying to be snarky, I'm just confused what is being added when they already (I thought) collected everything on everyone...
As recently as october 2020, the Court of Justice of the European Union ruled that data retention laws in the UK, Belgium and France are illegal as they aren't in accordance with EU directives:
> Today 6 October 2020, the Court of Justice of the European Union (CJEU) delivered its verdict on four data retention cases in France, Belgium and the UK, in the context of these countries surveillance programmes. The European Court of Justice ruled that the surveillance laws of France, Belgium, and the United Kingdom fail to safeguard fundamental rights and freedoms. The CJEU rules that general and indiscriminate data retention is allowed under EU law when the State faces a “serious threat to national security” that is present or foreseeable, but only under the scrutiny of courts or independent administrative bodies and when this is done only temporarily. Finally, the CJEU specifies that national courts cannot use information obtained from bulk retention regimes against suspects in criminal proceedings.
> “Today’s judgement is a massive blow to existing laws in France, UK and Belgium and to other current data retention practices by Member States”, said Diego Naranjo, Head of Policy at European Digital Rights (EDRi). “With this judgement, the CJEU essentially rules that, States can only engage in general and indiscriminate data retention when they face a “serious threat to national security” that is present or foreseeable, when subject to a court or administrative body review. The CJEU has put a stop to current illegal practices and disregards practices that are not under a national court’s scrutiny in the name of national security or in the fight against “terrorism””, he added.
> Data retention practices entail the storage of traffic and location data (metadata) by telecommunications companies for an extended period of time in order to ensure the availability of such data for law enforcement purposes. As electronic communications technologies are increasingly used in the course of criminal activity, electronic communications data can play an important role in criminal investigations. Mandating the bulk retention of this data, however, poses serious risks to the right to privacy and communications freedoms.
This was October 2020. The CJEU still held jurisdiction over the U.K court during the transition period after brexit (31 jan 2020 - 1 jan 2021) per the withdrawal agreement.
> The Court of Justice of the European Union continues to have jurisdiction over the United Kingdom during the transition period. This also applies to the interpretation and implementation of the Withdrawal Agreement.
The U.K. is free to do whatever with little to no recourse for U.K. citizens beyond appeal to their own Supreme Court to challenge the constitutionality of data retention / surveillance laws.
That said, the EU is not without it's own particular faults and shortcomings, but there are times when it does pay off to be able to challenge national legislation and policy making when it threatens human rights and freedoms such as they are purported to be upheld on the West-European continent.
As far as "governments" go, across the EU, the separation of powers is a thing. If data retention laws are enacted, that's a reflection of the prevailing winds / power balances between the legislative, executive and judicial bodies.
Old news, ISPs have been using Deep Packet Inspection (DPI) for ages. Purely in the interests of "prioritise latency" for video or voice that "don't tolerate dropped packets" ;]
My educated guess would be no. There are some fairly obvious compression and junk filtering techniques, and the size of the record presented as an example is a lot smaller than a cat video file. (-:
Of course, a computer trying to hide like that would also raise a red flag.
“If you want total security, go to prison. There you’re fed, clothed, given medical care and so on. The only thing lacking is freedom” --Eisenhower (b. 1890)
Congress then really outdid themselves by focusing all legislation on telephone calls (as if anyone younger than 60 even cares about that part) and leaving the internet snooping untouched. Really fantastic misdirection.
Ahh, but it’s actually very clever: young terrorists use phone calls to communicate figuring all the normal means are being spied upon whereas nobody uses the phone anyway so it won’t be spied on.
People always ask me about misdirection, It's fantastic. Let me tell you about misdirection. I do very well with misdirection. I love misdirection. No one loves misdirection more than me, BELIEVE ME. Misdirection loves me. We're going to have so many misdirections you are going to get sick of misdirection. The misdirection just got 10 feet higher. I have the best misdirection.
The article says they are trying: "The IPAct effectively prohibits ISPs from talking about much of this, which makes it difficult to verify the details"
I'm not sure if the "URL" column in a table in the article is supposed to contain URLs. In the example it only has domain names. I don't think full URLs can be obtained from SSL/TLS connections.
I assume it's because to lay people don't distinguish a domain name, an FQDN, eTLD+1, URL, "web address", URI, etc. and I'm sure that it's just as frustrating in any other discipline with a complicated vocabulary.
#Appendix isn't sent anywhere, your browser only needs that locally
The path /some/directory and the query ?someParameter=Value are encrypted using keys which should be known only to the browser and server, today in most cases the keys are random and will be forgotten soon afterwards
The scheme https is implied by your browser's connection to an HTTPS web server. Modern browsers also explicitly transmit ALPN requesting h2 (HTTP/2) if available in their ClientHello, this will not be encrypted today.
The server name www.example.com is somewhat implied by your browser's connection to an IP address for this server. Any browser that still works in 2021 explicitly transmits the SNI requesting this name, so as to enable Virtual Hosting which offers multiple distinct web servers on a single IP address. SNI is also in the ClientHello and thus not encrypted.
The full server name will also be looked up by the browser in DNS. In many cases this means an unencrypted UDP query for that name, and this may in turn trigger a query for example.com, and in theory at least, com itself because DNS is hierarchical and the hierarchy may need to be discovered.
You can secure some of this last step by using any of the DPRIVE technologies, including DNS over HTTPS (DoH) or DNS over TLS (DoT) and some day DNS over QUIC (DoQ). Eventually DPRIVE might also secure the recursion, but even today if snoopers can see that Google's DNS service asked about example.com that does not pin down who wanted them to do that, let alone why.
If you've secured DNS, this will pave the way for ECH, a forthcoming standard to Encrypt the ClientHello. It is likely that popular browsers will begin just doing ECH (silently enabling it for at least some users) in the next year or so, but right now it isn't quite finished.
Even with an Encrypted ClientHello, the IP gives away roughly who you connected to. The Internet Archive, the Fox News web site, and Wikipedia have no interest in sharing IP addresses with Porn Hub so as to throw off snoopers who are wondering roughly what you're doing. On the other hand, Encrypted ClientHello would hide whether you're looking at the German Wiktionary or the English Wikipedia page about the Hitler Youth, and it would mean there was no longer a privacy advantage to a site using directory prefixes to categorise things versus using server names.
The set of IP addresses you connect to correlates with the domain connected to and the amount of data transferred correlates with the exact URL being loaded.
You have a piece of paper, America has a piece of paper, but neither of them are worth anything if the protections to declare are not upheld. The repurcussions for violating those protections are more trivial than traffic violations.
The US has laws that should have prevented people from lying to Congress about PRISM, but it happened anyway.
Your Article 8 protections only matter as much as they're enforced and respected by the government. If Article 8 was the defense you imagine it to be, then the Investigatory Powers Bill wouldn't have passed in the first place.
It's very hard for me to square the text of Article 8 with a bill that allows warrantless access of every single IP address you visit. If that's consistent with the government's interpretation of the text, then it doesn't sound to me like the text is doing its job.
The actual left is generally against that sort of thing, and even significant factions on the right don't want the kind of government control, what you should be concerned about are liberal centrist people.
I hate to break it to you, but Greenwald is just another "I was a teenage leftist" Republican getting ready for his book tour. He's been pandering to Trump supporters for a few years now...
He's a terrible example to cite if you want to support the actual left.
I mean, he has started spreading TERF propaganda on Twitter (because those particular brainworms always infect the new converts, for whatever reason). That and the Trump thing aren't minor ideological differences - they're fundamental, irreconcilable conflicts. There's no future for them.
Probably more like "actual left" in contrast to the milquetoast kind that passes for the left wing of mainstream US politics, which are center-right by global standards.
i'm not as concerned as i might be. My rather meager understanding, which may be entirely baseless, is, that unlike the NSA which is obsessive about collecting every single scrap of data (and many large chunks), the UK intelligence services are rather more discerning. Again, i would be happy for someone to correct me, that's just the general impression i get.
All it suggests is that the UK is happy to curry favour with the US government and doesn't give a hoot about the perceived rights of American citizens. Harsh, but true.
Their own citizens are an entirely different ballpark, as you might say.
I don't know, i think the mentality here is that the government is spying for you, not at you. Is it different in the us? And is that because all revelations revolve around the fact that citizens are being spied on?
As someone who lives on the UK, I've never once seen a vandalised CCTV camera or even a vandalised road speed camera (which I'm given to understand is more common).
I've seen many of the early "Gatso[0]" cameras vandalised.
My understanding is that they originally used film, which had to be retrieved, so trying to burn it down with a well placed tyre had a chance of avoiding a fine.
That is truly nasty stuff. Stuff like this is part of the reason i try not invest too much of myself on the 'net and obfuscate as much as possible (i'm not really a marshmallow).
Isn't there a fairly solid connection (read: partnership) between US and UK intelligence? Isn't such a chain only as strong as the weakest link? It's hard to imagine any of our European allies to be too far off the NSA's pace.
> Using candy-coated language for such things is as (almost as) harmful as the acts themselves.
'Snooping' isn't candy-coated language in British English, and this is a British article. It's just another way to say surveillance. You're imagining a meaning that isn't there.
Brit here: can concur. 'Snooping' is pejorative in British English. It implies that (at the very least) you are sticking your nose where it doesn't belong, and always carries a hint of sinister overtone.
When your ISP is logging your every move for a year. And making it available to the government. Regardless of country, that's not snooping. It's surveillance.
The fact that some of you accept snooping as being legitimate description simply proves my point about candy-coating it.
> When your ISP is logging your every move for a year. And making it available to the government. Regardless of country, that's not snooping.
But that's just not true in British English.
I don't know anything about you but your comments imply you're not British? If so, you'll just have to accept you don't know the meaning of these words in written British English.
You're mistaken. I don't know what else to tell you?
[1] https://en.wikipedia.org/wiki/Tempora
[2] https://en.wikipedia.org/wiki/XKeyscore
[3] https://en.wikipedia.org/wiki/PRISM_(surveillance_program)
[4] https://en.wikipedia.org/wiki/Global_surveillance_disclosure...